NSA Exploits Used to Create Monero Mining Malware

A pair of exploits used by the NSA, which had been leaked online earlier this year by the hacker group known as the Shadow Brokers, is now causing havoc by aiding a group that is using the exploits to install malware which runs Monero mining software on infected computers. Cybersecurity experts from F5 Networks have discovered an attacker who is scanning the internet for machines running servers that are operating vulnerable versions of Apache Struts and DotNetNuke ASP.NET Content Management System software that has not been updated to patch flaws. Earlier this year the Apache Struts vulnerability was used by another group of hackers to perpetrate the attack on Equifax. The new hack campaign has been dubbed Zealot.

Researchers from F5 Networks discovered that the malware downloads a “mule” file which contains a software which mines Monero. Monero is a highly privacy-centric cryptocurrency, which has become very popular among users of the darknet, hackers, and cyber criminals. The Monero cryptocurrency is designed to protect users from having the amounts of their wallets and transactions from being viewed by third parties, unlike with many other cryptocurrencies, such as Bitcoin. With cryptocurrencies such as Bitcoin, all addresses and transactions are able to be viewed by the public by looking at information stored on the coin’s blockchain.

The researchers from F5 Networks discovered that one Monero address that was receiving coins mined from the attacker’s malware was receiving at least $8,500 US Dollars worth of Monero. It is not possible to know the total amount the attackers have made from their Monero mining malware so far. The attackers responsible for the WannaCry Ransomware attacks which occurred earlier this year, like the new attackers, also used the NSA’s EternalBlue exploit. One ransomware group managed to collect over $100,000 US Dollars earlier this year by exploiting the same flaw in Apache Struts that the new Monero mining malware takes advantage of.

The Zealot malware campaign is targeting servers running Microsoft Windows and Linux. For computers targeted by the Zealot campaign which are running vulnerable unpatched versions of Microsoft Windows, the attackers are using the leaked NSA exploits EternalBlue and EternalSynergy. The NSA’s EternalBlue and EternalSynergy exploits were leaked by the Shadow Brokers in April of this year. The EternalBlue and EternalSynergy exploits use flaws found in Microsoft’s implementation of the Server Message Block (SMB) protocol. EternalBlue effected version of Microsoft Windows including Windows XP, Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2003, Windows Server 2008, Windows Server 2012, and Windows Server 2016. Microsoft released patches for all effected versions of Windows, including Windows Vista, which Microsoft had stopped supporting shortly prior to the release of the patch.

The perpetrators of this new Monero mining malware appear to be fans of the video game Starcraft, as many of the names and terms used in the malware are also used in the Starcraft video game. The term Zealot itself is used in both the StarCraft and StarCraft 2 video games, and it refers to a type of warrior found in the games. The attackers also used software from the EmpireProject. The researchers believe that the group perpetrating this new Monero mining malware attack are more sophisticated than the average malware attacker. “The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” the researchers from F5 Networks said in a post on their web site.

The Shadow Brokers originally had sought to auction off the NSA exploits that they had obtained but the group failed to raise the amount of Bitcoin they had hoped to raise. The group of hackers known as the Shadow Brokers then set up a web site on the decentralized network known as ZeroNet, becoming the first major hacker group to utilize a decentralized solution to ensuring their web site would be resistant to censorship. ZeroNet works similar to BitTorrent, in that everyone who visits a ZeroNet site, known as a Zite, also helps to share the site to others using ZeroNet, meaning there is no central server to shut down.